Agari Email Trustindex.™

AGARI EMAIL 2013 TRUSTINDEX 2ND QUARTER EDITION

100 S. ELLSWORTH Avenue, SUITE 400 : SAN MATEO, CA 94401 : 650.687.5000

As phishing attacks get more sophisticated and harder to distinguish, consumers should know who’s putting them at risk – where malicious email links are lurking that lead to the installation of malware that can record keystrokes and steal consumer information, from online credentials to actual money. That’s why we publish the Agari TrustIndex™, to show consumers and business alike where consumers are most protected or vulnerable to email attack across industry sectors including Financial Services, E-Commerce, Social Me- Many consumers are still dia, Travel, Logistics and Gaming. Many consumers are still unaware that over 95% of data breaches start with a phishing email1– the Agari unaware that over of 95% TrustIndex™ uncovers which sectors are the most heavily targeted by data breaches start with a attackers and which industries are doing little in the way of consumer phishing email protection.

The most significant, but not at all surprising discovery comes from Financial Services where there has been a huge spike in malicious activity, more than doubling from the prior quarter. In fact, consumers are 7 times more likely to receive a malicious email from their bank than from any other type of company – a sobering statistic given the increased reliance on email as a consumer engagement channel. While Financial Services has repeatedly been the target of attacks, and some of the largest banks are hustling to stop the abuse within their technology backend, still less than half of companies are completely securing email and winning back consumer confidence.

Where else should consumers think twice before clicking that link? Travel. This sector, and the airlines in particular, is doing the least of all industries we analyzed to secure email and prevent their consumers from becoming victims of an attack. Even airlines like JetBlue that are well known for being leaders in delivering a better digital experience, are putting customers at risk with very little effort in preventing these types of attacks.

“Ranking companies and Industries based on our ThreatScore™ and TrustScore™ benchmarks finally gives consumers and leading brands visibility into where the target is moving, how aggressively a sector is being threatened, and which companies are taking action to secure email and protect consumer data and trust,” explained Bob Pratt, Agari’s Vice President of Product Management and an enterprise security veteran. “At Agari we’ve analyzed over a trillion emails and blocked over a billion malicious messages – using this data intelligence, we can quantify the industries that are most at risk of attack, identify exactly how attacks are being carried out, and share that knowledge with the consumer and business sectors so that we can put a stop to it.”

Overview: How the Sectors Stack Up

Agari monitored dozens of domains and millions of emails across six major economic sectors for the three months ending June 30, 2013. The Agari TrustIndex™ is composed of two variables, the TrustScore™ and ThreatScore™. The TrustScore™ reflects adoption and deployment of security measures like DMARC (Domain-based Message Authentication, Reporting and Conformance), the most reliable standard for email security. When fully implemented, DMARC virtually eliminates brand abuse through fraudulent email attacks and drastically reduces the risks of

1 Source: Verizon 2012 Data Breach Investigations Report

©2013 Agari www.agari.com 2 consumer loss, reputation damage and financial liability. In fact, 80% of email receivers in the U.S. like Gmail, Yahoo!, Microsoft and AOL have implemented DMARC as a testament to its effectiveness, but that fact alone won’t protect consumers from phishing attacks until the email sending side takes action too.

80% of email receivers in the U.S. like Gmail, Yahoo!, Microsoft and AOL have implemented DMARC as a testament to its effectiveness, but that fact alone won’t protect consumers from phishing attacks until the email sending side takes action too.

The Agari ThreatScore™ provides a measure of relative risk based on malicious activity and attempted attacks. The metric’s value is a function of the volume of fraudulent emails and legitimate emails sent on a worldwide basis for each domain measured in a given sector. By analyzing changes in ThreatScore™, information security experts assess relative risk compared to other industries and industry averages. And it’s not only Chief Information Security Officers who should be paying attention to these trends – Chief Marketing Officers have a lot at stake too. A recent Gartner study shows that nearly 60% of consumers affected by a phishing attack lost trust in email and changed their online shopping behaviors as a result.

Chief Marketing Officers have a lot at stake too. A recent Gartner study shows that nearly 60% of consumers affected by a phishing attack lost trust in email and changed their online shopping behaviors as a result.

Agari Q2 TrustScores

Social Media – Inspiring Brand Trust in Email

Sector Agari TrustScore Agari ThreatScoreTM

down Social Media up 73 1% 0.50 19%

Consumers may be worried about their privacy settings, but in terms of protecting consumers via email, Social Media is the clear leader scoring 73 out of 100 with nearly all of the major social brands reinforcing brand trust by prioritizing email security. With companies such as Facebook, Twitter, Pinterest and Google continuing to invest to protect their email channel and deploy standards such as DMARC, Social Media boasts the strongest defenses in the

Consumers may be worried about their privacy settings, but in terms of protecting consumers via email, Social Media is the clear leader

What changed since last quarter? Instagram – now a fully integrated division of Facebook – stepped up its defenses with additional investment in user trust; its score increased 10 percent, raising the sector’s index by eight-tenths of 1 percent. Facebook and Twitter – two of six companies – recorded perfect scores, the 90th percentile of this quarter’s index. Also of note, LinkedIn and Google trailed by razor-thin margins, delivering close to perfect scores and bolstering the strength of the sector.

What does this mean to the cyber-criminals? “Good news and bad news,” Pratt suggested. “Good news is that Social Media has the best defenses. Bad news is that the cyber-criminals are turning their attention to other sectors that are significantly more vulnerable.” Indeed, Social Media recorded one of the lowest ThreatScores™ of the second quarter – 0.50 – a full nineteen percent drop over the first quarter.

Looking ahead into the third quarter, what’s in store? Most expect the sector to continue to top the TrustIndex although MySpace, the sector laggard, will continue to keep the sector from achieving across the board strong scores.

Financial Services – High Risk, but Pounding the Pavement to Fortify Defenses

Sector Agari TrustIndex Score Agari ThreatScoreTM

Financial Services up up 39.7 7% 7.14 122%

If there’s a sector where consumers should be wary, it’s Financial Services. While this sector continues to make gains, increasing its TrustScore™ 7% over the previous quarter, companies have excellent reason to be diligent – Financial Services remains the industry most susceptible to phishing attacks, as consumers are 7 times more likely to be the victim of an attack with an email from their bank versus consumers are 7 times more any other sector. likely to be the victim of an The good news is financial companies are hearing wake-up call; attack with an email from their banks, credit unions, investment firms and insurance corporations bank versus any other sector aggressively embraced DMARC to protect customer trust and safeguard their email channels. Good thing they did, because threat levels increased 122% in the last ninety days, the most dramatic increase of any sector.

The FS-ISAC (Financial Services Information Sharing and Analysis Center) Spring Conference – an annual gathering of senior information security executives from the financial services industry – is credited with increasing the

©2013 Agari www.agari.com 5 awareness of DMARC and email authentication. This year’s conference featured powerful testimonies from representatives of JP Morgan Chase and NACHA.org – the electronic payments association – encouraging the industry to embrace DMARC and more reliable email security measures before they fall prey to a phishing attack.

Indeed, U.S. Bank and Capital One, shored up their email defenses, helping to raise the sector’s TrustIndex score by an impressive 7 percent, the largest single-quarter gain in its history. American Express and PayPal also contributed to the sector’s strength with higher-than-average performance.

A few laggards, however, prevented the sector’s growth from reaching even higher heights. Large retail and institutional banks have not focused on email authentication, weighing down the industry’s performance, and larger banks as well are still wrestling with the early steps to get to full DMARC enabled authentication. “Time is not their friend,” warned Pratt of the complacency of companies who are not taking an aggressive stand to authenticate email. “Our studies have validated that the Financial Services industry is the sector which is most vulnerable to a phishing attack, potentially costing innocent consumers millions of dollars.”

How vulnerable? This quarter’s Financial Services ThreatScore™ reached 7.14, the highest of the sectors and almost fourteen times higher than Social Media. “There really is no excuse for a bank or credit union to continue to turn a blind eye or a deaf ear to DMARC,” continued Pratt.

Industry leaders agree. Executives from JPMorgan Chase presented at the FS-ISAC Spring Conference and summarized the industry’s responsibility to protect customer trust. “It’s time for every financial institution to step up to the plate and drive adoption of the DMARC standard in their email ecosystems,” stated Jim Routh, Chair, FS-ISAC Product & Services Committee. “We must lead the way in information risk management, compared to every other industry as it relates to email.” As long as the sector continues to remain the most vulnerable (90 percent probability) and courts continue to require banks to cover the monetary losses from phishing attacks, email authentication will continue to be a hot topic.

Travel – The Sector Laggard

Sector Agari TrustIndex Score Agari ThreatScoreTM

down Travel up 17. 2 15% 0.26 58%

Another sector causing consumer concern is Travel – this sector, and airlines in particular, posted the lowest TrustScore™ in this quarter’s report with a score of only 17, showing just how little Travel companies in aggregate are taking meaningful action against email fraud. Not that we aren’t seeing any action – and that’s the bright spot in this sector. The travel TrustScore™ reached 17.2 this quarter, up 15% from its first quarter dismal performance, thanks to the industry leadership of Delta Airlines, which earned the highest score in securing its email channel.

©2013 Agari www.agari.com 6 When Delta’s CEO, Richard Anderson announced its fourth year of record profit in June, a New York Times reporter asked him to describe his leadership style. He said, “Don’t ask people to do things you wouldn’t do and be kind to people.” Delta’s information security leaders have followed this mantra, stepping up record defenses against fraudulent email and safeguarding their email channel.

Others have trailed, not only in protecting customer trust but also in market share. In fact, American Airlines, SkyWest and JetBlue have failed to deploy authentication standards. While companies like American Airlines have endured repeated news headlines about phishing scams victimizing their consumers, airlines still struggle to fortify its defenses. While threat levels have dropped off this quarter– the sector’s ThreatScore™ falling 58% over the last ninety days – one thing you can count on: cyber-criminals will return to target the travel sector and when they sharpen their phishing attacks against travel leaders, many may be left stranded on the tarmac.

Logistics – Protecting Consumers is a Clear Priority

Sector Agari TrustScoreTM Agari ThreatScoreTM

down Logistics up 58.8 2% 1.82 24%

The logistics sector posted an improvement in email authentication as its TrustScore™ rose 2.25 percent, continuing to lead as the sector with the second highest DMARC adoption rate. Indeed, the sector’s bellwether, the U.S. Postal Service, stepped up its commitment to protect consumer trust in the wake of the well-publicized phishing attack that spoofed the Internal Revenue Service in early April.

The sector’s TrustScore™ score is also heavily bolstered by FedEx’s aggressive investment in DMARC and email authentication; the industry leader earned a perfect score. Rob Carter, FedEx’s Chief Information Officer described

©2013 Agari www.agari.com 7 the company’s investment in consumer trust. “We spend more than $1 billion a year on technology. Our information security team grows the fastest, invests the most and has the best reputation.”

This is a sharp contrast to FedEx’s competitors, Pratt explained. “Unfortunately, some of the other players in the space aren’t as committed as FedEx.” For example, while the U.S. Postal Service invested in email authentication programs, similar programs at other travel and logistics companies remain in limbo, unable to garner sufficient executive sponsorship or internal support. “We wish we would have seen some more heavyweights in this industry do more to support email authentication,” Pratt added, “Especially Phishing emails from DHL brand since the sector is so vulnerable.”

impersonators are so well Some wonder who exactly falls for phishing emails that refer disguised that many recipients to phony deliveries – wouldn’t consumers know if they were click and inadvertently expecting a delivery, before they clicked on a ‘package verification’ download malware, even though email from DHL? Security analyst Graham Cluley cautions that they have never done business a range of phishing campaigns prey on different profiles of consumers with varying results. In his blog post titled “A DHL with the company. delivery which is nothing but malware,” Cluley describes how phishing emails from DHL brand impersonators are so well disguised that many recipients click and inadvertently download malware, even though they have never done business with the company. “It’s not DHL’s fault,” argued Cluley (although others disagree). “You’re well-read about malware threats and you’d never fall for it, but can you say the same for your aunt?”

What can we expect looking forward? If stalled email security projects within the Logistics sector can find executive sponsorship and move into production, then perhaps two of the industry leaders will boost the sector’s TrustScores™. The increasing strength of consumer spending – representing two-thirds of the economy – bodes well for the sector.

E-Commerce – Taking a Bold Stand for Consumer Protection

Sector Agari TrustIndexTM Score Agari ThreatScoreTM

E-Commerce up down 43.5 8.75% 0.46 3%

Last quarter, the TrustIndex™ listed the E-Commerce sector as a distant fourth in email trust and posited that the economic troubles of bricks-and-mortar retail operations were constricting IT budgets of their sister E-Commerce sites, limiting adoption of email security standards. What a difference a quarter makes, observed Pratt. “Ninety days later, we’re seeing a spike in consumer protection programs, accounting for a 9 percent rise in the sector’s TrustIndex™ score,” said Pratt. “Industry titans such as eBay aggressively expanded their email protection driving the performance of the entire sector.” Meanwhile, the sector lurched forward thanks to the perfect scores of Netflix and

©2013 Agari www.agari.com 8 American Greetings and impressive advances of industry leaders such as Apple and Amazon.com. “Industry titans such as eBay aggressively expanded Despite this growth, however, the sector was not without setbacks. Dell Computer experienced a contraction as its score dropped by 20 their email protection percent. Similarly, several retailers continued to delay implementing driving the performance of email authentication programs depressing the sector’s TrustIndex™ the entire sector.” score. OfficeMax, Staples and CDW underperformed relative to their peers, while Sears and Best Buy continued to fail to make meaningful progress toward implementing email security programs.

The improvement in the E-Commerce TrustIndex™ needs to take into consideration the relative risk of the sector. Unlike Financial Services, Logistics and Online Gaming, which rank among the riskiest sectors, E-Commerce has a higher level of relative security. For example, in the second quarter the sector placed in the 25th percentile, suggesting that 75 percent of the verticals were more prone to email phishing attacks than E-Commerce.

Online Gaming – With Consumers Young & Old, Security Should be a Higher Priority

Sector TrustScoreTM ThreatScoreTM

Online Gaming 37.1 1.42

The Online Gaming sector debuted in this quarter’s TrustIndex™, receiving a score of 37.1 and trailing behind the Financial Services sector. Online Gaming was one of the poorer performing sectors, weighed down as a whole by companies failing to successfully implement any email security. The solitary bright spot came from Blizzard / World of Warcraft, which has solid email authentication practices in place. Not seeing more participation is concerning given that gaming has a significant kids audience that may not be savvy to distinguishing between valid and malicious email.

Many have suggested that the sector’s poor performance is a reflection of the massive economic disruptions that continue to convulse the industry. “The space is going through significant change,” explained Pratt. “This is an industry that will be very different in three years.”

Newzoo, the leading gaming research firm, agrees. For example, social and mobile gaming are growing at over 37 percent year-over-year, yet that’s not enough to compensate for the decrease in spending on console games (off 20 percent) and boxed computer games (down 7 percent). What does this mean for the sector’s ability to protect its players from fraudulent emails? “I don’t think it’s reasonable to expect a great deal of change until the industry evens out,” explained Pratt.

Without question, the second quarter represented a seismic shift as mainstream industries are finally prioritizing consumer protection and backing the technology and standards like DMARC that make protection possible.

The Travel sector led the growth with a TrustScore™ quarter-over-quarter gain of 15%, however given it has the lowest TrustScore™ of any industry, Travel will need diligence to inspire the level of email trust Social Media has achieved. E-Commerce and Financial Services followed suit with a close second and third, up 8.7% and 7%, respectively. We continue to see a handful of laggards in most sectors that continue to weigh down the overall averages – industry pressure and support will be important to cement a positive view in consumer’s minds in terms of sector trust.

This quarter’s TrustIndex™ confirmed that Financial Services continues to remain a hot target; its ThreatScore™ increased 122% in the last ninety days alone. Worse, as the industry fortifies against fraudulent email attacks, cyber-criminals respond by directing their fury at the next sector. “Now’s the time for companies across the board – in every sector – to embrace email security, particularly as companies are relying more heavily on email marketing and driving to quick transactions,” explained Pratt. “This quarter’s report confirms the point that it’s not, ‘If you are the target in a wide-scale phishing attack,’ but rather, ‘When you are a target in a wide-scale phishing attack.’”

Which sectors will experience the most debilitating attacks in the next few months? Which ones will mount adequate defenses against the cyber-criminals? Which ones will top the leader board in protecting consumer trust? Find out in October, with the Third Quarter Edition of the Agari Email TrustIndex.™

For inquiries about how Agari compiles the quarterly Email TrustIndex, please contact Agari at [email protected].